The news comes three months after the nation’s largest crafts chain told customers it learned of a possible hack. It’s been investigating since then.
Some customers’ credit and debit card numbers as well as expiration dates were compromised, but the company said there is no evidence that information such as a customers’ names or PINs were stolen.
The breach occurred between May 8, 2013 and Jan. 27, 2014 and affected about 7% of transactions made with cards during that time. Not all stores were impacted and a “limited number” of those cards were subsequently used fraudulently, Michaels said.
The Michaels subsidiary Aaron Brothers was also hacked. Information from another 400,000 cards was potentially stolen at the Aaron Brothers stores between June 26, 2013 and Feb. 27, 2014.
“We want you to know we have identified and fully contained the incident, and we can assure you the malware no longer presents a threat to customers while shopping at Michaels or Aaron Brothers,” wrote CEO Chuck Rubin in a post on the company’s website.
The initial Michaels announcement came just weeks after Target also disclosed it was hacked. The attack on Target affected as many as 110 million customers, including 40 million credit and debit card shoppers at the height of the holiday shopping season.